[or-cvs] [torbutton/maint-1.2] Document Private Browsing Mode review.

[mikeperry@xxxxxxxx]

Author: Mike Perry <mikeperry-git@xxxxxxxxxx>
Date: Wed, 30 Sep 2009 21:37:24 -0700
Subject: Document Private Browsing Mode review.
Commit: 4d2006b944841006e9b0314c007717c19258241d

---
 website/design/FF35_AUDIT |   76 ++++++++++++++++++++++++++++++++++++++++++---
 1 files changed, 71 insertions(+), 5 deletions(-)

diff --git a/website/design/FF35_AUDIT b/website/design/FF35_AUDIT
index 2e249a6..3db462c 100644
--- a/website/design/FF35_AUDIT
+++ b/website/design/FF35_AUDIT
@@ -22,6 +22,7 @@ First pass: Quick Review of Firefox Features
   - navigator.geolocation
     - Governed by geo.enabled
     - "2 week access token" is set
+      - geo.wifi.access_token.. Clearing is prob a good idea
     - http://mxr.mozilla.org/mozilla1.9.1/source/dom/src/geolocation/NetworkGeolocationProvider.js
     - https://developer.mozilla.org/En/Using_geolocation
 - DNS prefetching after toggle
@@ -92,20 +93,85 @@ First pass: Quick Review of Firefox Features
 
 Second Pass: Verification of all Torbutton Assumptions
 - "Better privacy controls"
-- "Swap DocShell"
-  - https://developer.mozilla.org/En/XUL/Method/SwapDocShells
+  - Basically UI stuff for prefs we set already
+  - address bar search disable option is interesting, but not
+    torbutton's job to toggle. Users will hate us.
 - Private browsing
   - https://developer.mozilla.org/En/Supporting_private_browsing_mode
+    - We should consider an option (off by default) to enable PBM during
+      toggle
+      - It is a good idea because it will let our users use DOM storage
+        safely and also may cause their plugins and other addons to be
+        safe
+      - Doing it always will cause the user to lose fine-grained control
+        of many settings
+        - Also we'll need to prevent them from leaving without toggling tor
+        - Stuff the emit does (grep for NS_PRIVATE_BROWSING_SWITCH_TOPIC and
+          "private-browsing")
+          - XXX:  clear mozilla.org/security/sdr;1. We should too! Wtf is it??
+          - They also clear the console service..
+          - Recommend watching private-browsing-cancel-vote and blocking if
+            we are performing a db operation
+            - Maybe we want to block transitions during our toggle for safety
+          - XXX: They also clear general.open_location.last_url
+          - XXX: mozilla.org/permissionmanager
+          - XXX: mozilla.org/content-pref/service
+          - XXX: Sets browser.zoom.siteSpecific to false
+          - Interesting.. They clear their titles.. I wonder if some
+            window managers log titles.. But that level of surveillance is
+            unbeatable..
+            - XXX: Unless there is some way for flash or script to read titles?
+          - They empty the clipboard..
+            - Can js access the clipboard?? ...
+            - Yes, but needs special pref+confirmation box
+              - http://www.dynamic-tools.net/toolbox/copyToClipboard/
+          - They clear cache..
+          - Cookies:
+            - Use in-memory table that is different than their default
+              - This could fuck up our cookie storage options
+              - We could maybe prevent them from getting this
+                event by wrapping nsCookieService::Observe(). Lullz..
+          - NavHistory:
+            - XXX: nsNavHistory::AutoCompleteFeedback() doesn't track
+              awesomebar choices for feedback.. Is this done on disk?
+            - Don't add history entries
+            - We should block this observe event too if we can..
+          - The session store stops storing tabs
+            - We could block this observe
+          - XXX: They expunge private temporary files on exit from PMB
+            - This is not done normally until browser exit or
+              "on-profile-change"
+           - emits browser:purge-domain-data.. Mostly just for session
+             editing it appears
+           - Direct component query for pbs.privateBrowsingEnabled
+              - This is where we have no ability to provide certain option
+                control
+              - browser.js seems to prevent user from allowing blocked
+                popups?
+              - Some items in some places context menu get blocked:
+                - Can't delete items from history? placesContext_deleteHost
+              - nsCookiePermission::InPrivateBrowsing() calls direct
+                - but is irellevant
+              - Form history cannot be saved while in PBM.. :(
+              - User won't be prompted for adding login passwords..
+              - Can't remember prefs on content types
+              - Many components read this value upon init:
+                - This fucks up our observer game if tor starts enabled
+                - NavHistory and cookie and dl manager
+                - We could just wrap the bool on startup and lie
+                  and emit later... :/
+                  - Or! emit an exit and an enter always at startup if tor is
+                    enabled.
   - Read iSec report
   - Compare to Chrome
     - API use cases
-- https://developer.mozilla.org/En/Security_changes_in_Firefox_3.5
-- SSL Toggle
+- SSL Toggle to clear session id
 - Unto tabs Toggle
-- SafeBrowsing Update Key
+- SafeBrowsing Update Key removed on cookie clear still?
 - Places
 - SessionStore
   - Has been reworked with observers and write methods. Should use those.
+- check if nsICertStore is still buggy...
 
 Third Pass: Exploit Auditing
 - Remote fonts
-- 
1.5.6.5